Systemd Service Hardening: The Options That Actually Reduce Attack Surface

ProtectSystem, PrivateTmp, NoNewPrivileges, CapabilityBoundingSet — which options meaningfully constrain a service and which are theater for the audit report.

Overview

This note is part of the field-notes archive generated for this site. The summary below is the published excerpt; you can expand the full write-up anytime in the CMS.

Related notes

Linux Cgroups Container Memory Limits
Security Tradeoffs Engineering Roadmap

Systemd Service Hardening: The Options That Actually Reduce Attack Surface

Overview

Related notes

Tags

Tags

Manish Bookreader

You Might Also Like

Attention Is All You Need: Notes Seven Years Later

Post-Quantum Cryptography in Embedded Systems: CRYSTALS-Kyber on Cortex-M4

Designing for Debuggability: The System Properties That Make 2 AM Easier